> I thought I needed the cacert line in /etc/openldap/ldap.conf to
point the
> ldap client to the CA cert we trust, otherwise we might not trust the
> server certificate being signed by the CA.
>
> Thanks again,
> Jo
>
That's correct, you always need the CA cert on all of the servers and
clients. (Unless you're using anonymous cipher suites, in which case you
don't need any certs at all. But that's pretty reckless.)
I have server-side, self-generated, self-signed certs. None of those certs exist on any
of the
clients, all my ldap traffic is ssl-encrypted over 636, no problem. Is that what you mean
by
"anonymous cipher suites"? If so, why is that reckless? I don't really
care if the clients
misrepresent themselves, I just care that the server doesn't.
Perhaps I'm not understanding what you are saying....?
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com